I get this message now when I add a new user for in the local CA server. Is Cisco removing the local CA server completely from the 5506-X?? WHY?
Yes you are correct as per 9.12 release notes.
The 9.12 release notes states that "This feature has become obsolete...". Is there another feature replacing it?
I'm running a Local CA server and issue certificates for devices that connect to VPN. This adds a layer of security since a valid certificate besides a password is required to be able to connect to the VPN service. Is there another way of doing this in the future if ASAs will no longer have the Local CA feature?
Thanks for your response. Can you please point me to some documentation on how to configure the user certificates on the ASA if they are from a public CA? Until now I always issued the user certificates from the ASA's local CA.
As I mentioned before, we use both a valid user certificate and a valid username\password combo to authenticate AnyConnect VPN clients.
here is the guide for PKI :
We are also using the local CA server at present. I understand that once it's gone we won't be able to issue new certificates, but does anyone know if it will also render current certificates invalid? My assumption is that it will as there will be no CA to validate the certificates against.
I know it's probably a bit of a stab in the dark but does anyone have any guesses as to when Cisco are likely to remove CA server completely, i.e. how much time do I realistically have to implement an alternative?
As long as the client still trusts the CA then the issued certificates will remain valid, (as long as they are in date, and not on a revoke list).
As for when it will be retired - who knows :(
Hi. Great video! I think there's some misunderstanding in this thread though.
Our ASA has a certificate from a public CA, that's not the problem.
Remote AnyConnect client software (mobile and laptops) connect to our ASA via IPSec tunnel and are required to have a valid username\password combination AND A VALID USER CERTIFICATE. This user certificate (which is installed on the clients both mobile devices and laptops) is issued by the ASA's Local CA by adding a user, see the attached pic. If I start issuing certs to my users from a public CA will the ASA accept the certificate?
At present you have a public signed Cert on the ASA, and privately signed certs for your users, from ASA CA
If you switch to
Publicly signed certificate on the ASA and privately signed certificates from Windows CA
Then nothing changes with your public cert, leave it where it is its fine.
You simply need to
1. Issue user certs to your users (Auto enrolment will do that for you)
2. Import the Root CA cert from your Windows CA onto the ASA and it will trust your user certs.
The answer I've been looking for! Thank you so much, I have been avoiding software updates on the ASA because of this. Now I can go ahead (after making a proper CA) :D